SB2023032922 - SUSE update for rubygem-loofah
Published: March 29, 2023
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 3 secuirty vulnerabilities.
1) Resource exhaustion (CVE-ID: CVE-2022-23514)
The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to application does not properly control consumption of internal resources when parsing certain SVG attributes. A remote attacker can pass a specially crafted SVG file to the application and consume excessive CPU resources, causing a denial of service (DoS) attack.
2) Cross-site scripting (CVE-ID: CVE-2022-23515)
The disclosed vulnerability allows a remote attacker to perform cross-site scripting (XSS) attacks.
The vulnerability exists due to insufficient sanitization of user-supplied data passed via the image/svg+xml media type in data URIs. A remote attacker can trick the victim to follow a specially crafted link and execute arbitrary HTML and script code in user's browser in context of vulnerable website.
Successful exploitation of this vulnerability may allow a remote attacker to steal potentially sensitive information, change appearance of the web page, perform phishing and drive-by-download attacks.
3) Uncontrolled Recursion (CVE-ID: CVE-2022-23516)
The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to uncontrolled recursion when handling CDATA sections. A remote attacker can pass specially crafted data to the application and consume excessive CPU resources.
Remediation
Install update from vendor's website.